Requested Patent: W09812636A1 



Title: SOFTWARE ANTI-VIRUS FACILITY ; 

Abstracted Patent W09812636 ; 

Publication Date: 1 998-03-26 ; 

lnventor(s): LETTVIN JONATHAN D (US) ; 

Applicants): LETTVIN JONATHAN D (US) ; 

Application Number WO1997US02345 19970213 ; 

Priority Numbers): US1 99607 14938 19960917 ; 

IPC Classification: G06F1 1/00 ; 

Equivalents: AU2272997 ; 

ABSTRACT: 



A virus-resistant disk has a "hidden partition" in which anti-virus software is stored; the hidden 
partition not only shields the software from many viruses, but provides storage space that does 
not reduce the disk's formatted or advertised capacity. The disk includes software to cause the 
computer to execute the anti-virus software. The invention provides a hidden partition by utilizing 
storage space on the disk that is not reflected in the size and geometry information stored on the 
disk, e.g., in the BIOS Parameter Block. 



WORLD INTELLECTUAL PROPERTY ORGANIZATION 

Internationa] Bureau 




PCT 

INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) International Patent Classification 6 : 




(11) International Publication Number: 


WO 98/12636 


G06F 11/00 


Al 


(43) International Publication Date: 


26 March 1998 (26.03.98) 



(21) International Application Number: PCT/ US9 7/02 3 45 

(22) International Filing Date: 13 February 1997 (13.02.97) 



(30) Priority Data: 
08/714,938 



17 September 1996 (17.09.96) US 



(71)(72) Applicant and Inventor: LETTVIN, Jonathan, D. 
[US/US]; 194 Walrham Street, Lexington, MA 02173 (US). 

(74) Agents: FRANK, Steven, J. et al.; Cesari and McKenna, LLP, 
30 Rowes Wharf, Boston, MA 021 10 (US). 



(81) Designated States: AL, AM, AU, AZ, BA, BB. BG, BR, BY, 
CA, CN. CU, CZ. EE, GE, HU. IL, IS, JP, KG, KP, KR, 
KZ, LK, LR, LS, LT, MD, MG, MK, MN, MX, NZ, PL, 
RO, RU, SG, SI, SK, TJ, TM, TR, UA, UZ, VN, ARIPO 
patent (KE, LS, MW, SD, SZ, UG), Eurasian patent (AM, 
AZ, BY. KG. KZ, MD, RU, TJ, TM), European patent (AT, 
BE, CH, DE, DK, ES, FI, FR, GB, GR, IE. IT, LU, MC, 
NL. PT, SE), OAPI patent (BF, BJ. CF, CG, CI, CM, GA, 
GN, ML. MR, NE, SN, TO, TG). 



Published 

With international search report. 



(54) Title: SOFTWARE ANTI- VIRUS FACILITY 
(57) Abstract 



A virus-resistant disk has a "hidden parti- 
tion" in which anti-virus software is stored; the 
hidden partition not only shields the software 
from many viruses, but provides storage space 
that does not reduce the disk's formatted or ad* 
vertised capacity. The disk includes software to 
cause the computer to execute the anti-virus soft- 
ware. The invention provides a hidden partition 
by utilizing storage space on the disk that is not 
reflected in the size and geometry information 
stored on the disk, e.g., in the BIOS Parameter 
Block. 




FOR THE PURPOSES OF INFORMATION ONLY 



Codes used to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT. 



AL 


Albania 


ES 


Spain 


LS 


AM 


Armenia 


Ft 


Finland 


LT 


AT 


Austria 


FR 


France 


LU 


All 


Australia 


GA 


Gabon 


LV 


AZ 


Azerbaijan 


GB 


United Kingdom 


MC 


BA 


Bosnia and Herzegovina 


GE 


Georgia 


MD 


BB 


Barbados 


CH 


Ghana 


MG 


BE 


Belgium 


GN 


Guinea 


MK 


BP 


Burkina Paso 


GR 


Greece 




BG 


Bulgaria 


HU 


Hungary 


ML 


BJ 


Benin 


IC 


Ireland 


MN 


BR 


Brazil 


It 


Israel 


MR 


BY 


Belarus 


IS 


Iceland 


MW 


CA 


Canada 


IT 


Italy 


MX 


CF 


Central African Republic 


JP 


Japan 


NE 


CG 


Congo 


KB 


Kenya 


NL 


CH 


Switzerland 


KG 


Kyrgyzstan 


NO 


a 


Cote d'lvohe 


KP 


Democratic People' I 


NZ 


CM 


Cameroon 




Republic of Korea 


PL 


CN 


China 


KR 


Republic of Korea 


PT 


CU 


Cuba 


KZ 


Kazaksran 


RO 


cz 


Czech Republic 


ix: 


Saint Lucia 


RU 


DE 


Germany 


U 


Liechtenstein 


SD 


OK 


Denmark 


LK 


Sri Lanka 


SB 


BE 


Estonia 


LR 


Liberia 


SG 



Lesotho 


St 


Slovenia 


Lithuania 


SK 


Slovakia 


Lusemboorg 


SN 


Senega) 


tjuvia 


SZ 


Swaziland 


Monaco 


TD 


Chad 


Republic of Moldova 


TG 


Togo 


Madagascar 


TJ 


Tajikistan 


The former Yugoslav 


TM 


Turkmenistan 


Republic of Macedonia 


TR 


Turkey 


Mali 


TT 


Trinidad and Tobago 


Mongolia 


UA 


Ukraine 


Mauritania 


UG 


Uganda 


Malawi 


US 


United States of America 


Mexico 


UZ 


Uzbekistan 


Niger 


VN 


Via Nam 


Netherlands 


vu 


Yugoslavia 


Norway 


zw 


Zimbabwe 



New Zealand 
Poland 
Portugal 
Romania 

Russian Federation 

Sudan 

Sweden 

Singapore 



WO 98/12636 



PCT/US97/02345 



1 

SOFTWARE ANTI-VIRUS FACILITY 

COPYRIGHT NOTICE 
A portion of the disclosure of this patent document contains material which is 
subject to copyright protection. The copyright owner has no objection to the facsimile 
reproduction by anyone of the patent document or the patent disclosure, as it appears 
in the Patent and Trademark Office patent file or records, but otherwise reserves ail 
copyright rights whatsoever 

FIELD OF THE INVENTION 

The invention relates to detecting, identifying and removing computer viruses 
from components of a computer, and more particularly to a startup (bootstrap) disk 
that stores anti-virus software and facilitates the execution of this software at 
bootstrap time, i.e., before the computer begins executing an ultimate operating 
system (e.g., MS-DOS). 

BACKGROUND OF THE INVENTION 

A computer virus is software that is executed by a computer without the 
knowledge or authorization of the computer's user and that causes unauthorized and 
unwanted changes to components of the computer or to information stored on the 
computer. For example, some viruses alter or destroy data stored on disk, scramble 
characters on video display screens, display misleading messages to users, and 
consume computer or network resources thereby preventing users from performing 
desired tasks. A virus usually attempts to propagate itself to other computers by 
making copies of itself on any accessible diskettes or hard disks (collectively "disks") 
or other non-volatile memory such as "flash" read-only memory (ROM). A virus 
"attack" herein means any change made to a computer component by a virus, such as 
a change to stored information or the making of a propagation copy of the virus. 

Viruses typically propagate by opportunistically copying themselves to 
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virus, ff a user transports an infected disk to a second computer and the second 
computer executes the virus, the virus then attempts to infect disks on the second 
computer, and so on. viruses generally employ one of two techniques to cause a 
subsequent execution of themselves. Some viruses attach themselves to application 
programs that are stored on a disk. When a user runs the infected program, the virus 
also executes. Most viruses, however, are "bootstrap-time viruses" that replace the 
startup (bootstrap) program located on the infected disk with a program that causes 
the computer to execute the virus if the disk is subsequently used as a startup disk on 
this or another computer. Once the virus executes, it arranges for itself to remain in 
the memory of the computer after bootstrap, but causes the computer to execute the 
normal bootstrap program so as to mask its presence. Following completion of 
bootstrap, the virus remains stored on the computer and capable of causing further 
mischief. 

Bootstrap programs execute as part of a bootstrap sequence initiated by the 
application of power or a reset signal to a computer. During this sequence, the 
computer performs a power-on self-test ("POST"), then locates a bootstrap program 
on a disk and then executes the bootstrap program. The bootstrap program is always 
stored at a characteristic, fixed location (the "boot block") on the disk. Generally, the 
bootstrap program readies the computer for normal functioning by causing it to load 
and execute an operating system, such as MS-DOS, OS/2, NetWare, UNIX, or 
Windows-NT, although the bootstrap program can also cause the computer to 
execute one or more other programs prior to executing the operating system. 
Accordingly, as used herein, the term "bootstrap" includes the time and steps taken 
between the application of power or reset signal and the execution of the last program 
prior to the operating system; and "operating system" is software that manages a 
computer's resources (e.g., disks and memory) and provides low-level services (e.g., 
I/O, timer, memory management, interprogram communication) to application 
programs. An "application program" is not part of an operating system and can only 
execute under the control of an operating system. 

To overcome the problems created by viruses, practitioners have developed a 
variety of "anti-virus* programs that both detect and remove known viruses. Anti-virus 
software searches for "signatures", including characteristic behaviors, of viruses and 
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include Command Software Systems F-PROT, IBM Antivirus, and Sophos Sweep. 
However, and quite problematically, bootstrap-time viruses can interfere with the 
operation of prior art anti-virus software. In addition, the presence of an operating 
system can obscure the presence of a virus in the memory of a computer. 

As noted previously, a bootstrap program is stored at a characteristic disk 
location or address. For Addressing* purposes, disks are divided into surfaces, 
tracks, and sectors. The "formatted capacity", in bytes, of a disk (also known as the 
"advertised capacity") equals the product of the number of. surfaces, tracks per 
surface, sectors per track, and bytes per sector of the disk A hard disk can be further 
divided into one or more logical "partitions", each partition being treated as a separate 
disk. Generally, the first sector of a diskette and the first sector of each partition of a 
hard disk contains a disk descriptor block which contains size and geometry 
information about the disk, such as the number of sectors per track. 11 BIOS Parameter 
Block" herein refers to the area on the disk where this information is characteristically 
stored. The following Table 1 lists the relevant fields of the BIOS Parameter Block. 
"Conventional storage capacity" of a disk herein means the formatted capacity of the 
disk as reflected by information in the BIOS Parameter Block of the disk. 



Size (bytes) 


Field 


2 


Number of bytes per sector 


2 


Total number of sectors in volume (logical partition) 


2 


Number of sectors per track 


2 


Number of surfaces (heads) 


2 


Number of entries in root directory 



Table 1 - Selected Fields of the BIOS Parameter Block 



20 Computers can include storage devices other than conventional disks. 

For reasons of design or in an emergency, the computer can be booted from a 
non-disk device such as a flash ROM, removable bubble random-access 
memory (RAM), an optical storage device such as a CD-ROM, or a tape drive. 
These devices, too, can be infected with viruses. 
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It is therefore an objective of the invention to provide a startup storage 
medium that causes the computer to automatically execute anti-virus software 
each time the computer starts from the storage medium, i.e., during bootstrap, 
so as to detect bootstrap-time viruses before or after they have executed and 
implanted themselves in the system. 

It is a further objective to provide a storage medium that stores the anti- 
virus software without reducing the amount of conventional storage capacity of 
the storage medium. 

It is a further objective to provide a storage medium that stores the anti- 
virus software so as to make it inaccessible to many viruses. 

It is a further objective to provide a mechanism to detect and repair virus- 
inflicted damage to the anti-virus software. 

It is a yet further objective to provide a virus-tolerant storage medium that 
can withstand an attack by a virus without incurring damage to information 
stored thereon. 

Other objectives will, in part, be obvious and will, in part, appear 
hereinafter. The invention accordingly comprises an article of manufacture 
possessing the features and properties exemplified in the constructions 
described herein and the several steps and the relation of one or more of such 
steps with respect to the others and the apparatus embodying the features of 
construction, combination of elements and the arrangement of parts which are 
adapted to effect such steps, all as exemplified in the following detailed 
description, and the scope of the invention will be indicated in the claims. 

SUMMARY OF THE INVENTION 

The invention provides a storage medium on which is stored anti-virus 
software and/or software designed to detect and repair damage to stored 
information, as well as instructions to cause a computer to execute the software 
whenever the disk is used to start the computer. The invention may be broadly 
applied to a variety of storage media amenable to selective actuation by a 
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user— that is, designation by the user as a temporary or permanent "system" 
device from which the computer can boot. Most commonly, computers boot from 
a disk: the permanently installed hard drive or a selectably introduced diskette, 
either of which contains the necessary bootstrap program. A user may, 
however, designate a non-disk device such as a flash ROM, removable bubble 
RAM, an optical storage device such as a CD-ROM, or a tape drive as the 
system device that the computer accesses during startup. Another alternative is 
a non-local storage medium, i.e., one not intimately associated with the 
computer, such as a network disk configured to operate as a shared resource 
among the computers connected to the network (where the network may be a 
local-area network, a wide-area network or even the Internet). Any of these 
storage devices may be selected or designated by a user in the sense of 
configuring the computer to look to this device for the bootstrap program. 

Alternatively, the invention provides a storage medium having a "hidden 
partition" in which the anti-virus and/or repair software is stored; the hidden 
partition not only shields the software from many viruses, but provides storage 
space that does not reduce the medium's formatted or advertised capacity. 
Once again, the concept of a partition is not confined to disks, but applies to the 
various storage media discussed above. The storage medium of the present 
invention preferably also includes software to cause the computer to execute the 
anti-virus software. The invention provides a hidden partition by utilizing space 
on the storage medium that is not reflected in the size and geometry information 
stored on the medium, e.g., in the BIOS Parameter Block. Heretofore, no reason 
existed for a vims to assume storage space existed on a disk beyond that 
reflected by the BIOS Parameter Block or to access such space because the 
BIOS Parameter Block is the standard mechanism for identifying the 
configuration and storage capacity of a disk. 

A "conventional program" herein means a program that either relies on 
the accuracy of the BIOS Parameter Block to access the storage medium or 
accesses the medium via an operating system that so relies. Most viruses are 
conventional programs. Advantageously, the invention utilizes the hidden 
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partition to make programs and information stored in the hidden partition 
inaccessible to most existing viruses. In addition, storing programs and 
information in the hidden partition does not reduce the amount of available 
space on the storage medium, as reflected by the BIOS Parameter Block. 

The invention provides the hidden partition by taking advantage of 
unutilized storage capacity on the storage medium. For example, diskettes 
commonly have gaps between the sectors of a track In one embodiment, the 
invention provides a diskette in which at least some of the gaps have been 
reduced in size, thereby bringing closer together the sectors of the track and 
leaving enough room for one or more additional sectors on the track. Not all 
tracks need have the same number of additional sectors. The additional sectors 
on all the tracks collectively form the hidden partition. Information in the BIOS 
Parameter Block does not reflect the existence of the additional sectors. 

Hard disks generally have unutilized storage capacity in the form of spare 
sectors and/or spare tracks, the existence of which is not reflected by 
information in the BIOS Parameter Block. A hard disk lacking such spares 
generally can be formatted to contain them. 

The invention provides a storage medium on which a special bootstrap 
program is stored in the boot block and, if the storage medium functions at 
startup, the normal bootstrap program is stored elsewhere on the medium. The 
special bootstrap program causes the computer to execute the software stored 
in the hidden partition and then, upon completion of that software (and if the 
storage medium functions at startup), to execute the normal bootstrap program, 
which causes the computer to execute the operating system. A source listing of 
an exemplary special bootstrap program appears later in this specification. 

Alternatively, the storage medium also contains a bootstrap-time 
operating system ("BTOS") and the special bootstrap program causes the 
computer to execute the BTOS. The BTOS causes the computer to execute one 

m 

or more anti-virus, disk-maintenance (described below), and/or other programs 
stored in the hidden partition and then, upon completion of the programs (and if 
the storage medium functions during startup), to execute the normal bootstrap 
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program. The normal bootstrap program causes the computer to perform an 
otherwise-normal startup, including executing the operating system (e.g., MS- 
DOS) with which the user can interact and which provides services to 
application programs. The operating system invoked by the normal bootstrap 
program is herein referred to as the "ultimate operating system" to distinguish it 
from the BTOS. "Post-bootstrap" herein means the time and steps taken after 
execution of the normal bootstrap program. 

The BTOS facilitates the development and use of programs that must be 
executed before an ultimate operating system is executed. Executing before the 
ultimate operating system provides advantages to anti-virus software because 
the software can take advantage of conditions within the computer that only exist 
during bootstrap and do not exist after the computer begins executing the 
ultimate operating system. For example, an "interrupt vector* contains the 
address of a routine that is associated with the vector and that handles requests 
for service from a program or device. Whenever the program or device (e.g., a 
hard disk) requests service ('generates an interrupt"), the computer uses the 
address in the vector to pass control to the service routine. During bootstrap, 
the disk vector initially points to a well-known routine within the Basic 
Input/Output System (BIOS), but the ultimate operating system changes the 
vector to point to a routine within itself. Many viruses modify the disk vector to 
point to themselves, but it is difficult for an anti-virus application program to 
distinguish a disk vector that points to a virus from one that points to a routine 
within an ultimate operating system; thus it is easier for anti-virus software to 
detect the presence of a virus by examining the disk vector before the computer 
begins executing an ultimate operating system. The BTOS provides additional 
advantages in that developers of programs that must be executed before an 
ultimate operating system are relieved of developing special mechanisms that 
alter normal startup operations in order to invoke the programs; in addition, the 
BTOS provides low-level services to the programs and so simplifies them, and 
relieves users from concerning themselves with the details of invoking 
potentially several bootstrap-time programs. 
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Software that accesses the hidden partition is written with the knowledge 
that the additional sectors exist The software accesses the additional sectors 
via program calls to the BIOS or BTOS rather than to the ultimate operating 
system because the BIOS and BTOS allow access to arbitrary addresses on the 
disk regardless of the contents of the BIOS Parameter Block and the ultimate 
operating system does not. 

Alternatively, the storage medium also contains an application program 
that causes the computer to execute the anti-virus, disk-maintenance and/or 
other software that is stored in the hidden partition. This application program is 
not a conventional program because it is capable of accessing the hidden 
partition without relying on the BIOS Parameter Block or using an operating 
system that so relies. Such a program allows the user to run the anti-virus 
software even if a virus has attacked the special startup program and thereby 
prevented execution of the anti-virus software at bootstrap time. The anti-virus 
program examines the special startup program located in the boot block and 
repairs any damage done to it so it will function properly on subsequent 
bootstraps. 

In case a virus attacks a storage medium having the anti-virus capabilities 
described above, the invention enables the disk to withstand the attack without 
incurring damage to files stored on the medium. The invention provides a virus- 
tolerant storage medium that prevents an operating system from placing files in 
sectors that are known to be attacked by several viruses, thereby shielding the 
files from attack by the viruses. An operating system uses a file system to 
manage storage space on a storage medium (typically a disk) and create, 
delete, catalog and facilitate access to files on the storage medium. On a disk, 
storage space is allocated in units of "clusters" (contiguous groups of sectors). 
All clusters on a disk contain the same number of sectors and each cluster has a 
"cluster number" and a corresponding entry in a file system allocation table, e.g., 
the File Allocation Table or "FAT" in MS-DOS. The file system "chains" together 
clusters to allocate space to a file. Each FAT entry records whether the 
corresponding cluster is available, bad, or in use by a file. If it is in use, the 
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entry contains the cluster number of the next cluster in the chain for the file or, if 
it is the last cluster of the file, a "last-cluster" flag. The following Table 2 lists the 
relevant field of a FAT entry. A "directory" catalogs files stored on a disk. For 
each file, a directory stores the file's attributes, e.g., read-only, and correlates 
the file's name and extension to its first cluster number. Directories can be 
organized into a hierarchy starting at a "root" directory. The following Table 3 
lists the relevant fields of a directory entry. Disk-maintenance software, such as 
CHKDSK, SCANDISK and SpinRite, uses well-known techniques to detect and 
repair damage to information, such as the FAT and directory, stored by the file 
system and to overcome recording errors, such as signals that are recorded off- 
center on a track. The invention provides a storage medium having entries in its 
file system allocation table that prevent the allocation to any file of sectors that 
are known to be attacked by viruses. For example, the entries can mark the 
sectors as being "bad" or already in use. 



Size 


Field 


3 nibbles (for 12-bit FAT) 
2 bytes (for 16-bit FAT) 

4 bytes (for 32-bit FAT) 


Next cluster number or flag 



Table 2 - Selected Field of a FAT (File Allocation Table) Entry 



Size (bytes) 


Field 


8 


File Name 


3 


File Extension 


1 


File Attributes (e.g. read-only) 


2 (4 for 32-bit FAT) 


First Cluster Number 



Table 3 - Selected Fields of a Directory Entry 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The foregoing discussion will be understood more readily from the 
following detailed description of the invention, when taken in conjunction with 
the accompanying drawings, in which: 

Fig. 1 is a diagram of the sectors of one surface of a diskette that has a 

hidden partition according to the invention; 
Fig. 2 is a diagram of the sectors of one surface of a hard disk having a 

hidden partition according to the invention; and 
Fig. 3 is a flowchart illustrating a bootstrap sequence involving a disk 
provided by the invention. 

DESCRIPTIO N OF THE PREFERRED EMBODIMENT 

The following discussion illustrates application of the invention to a 
storage medium in the form of a disk or diskette, it being understood that other 
storage media (e.g., flash ROM, removable bubble RAM, an optical storage 
device such as a CD-ROM, or a tape drive) may be substituted therefor and are 
considered within the scope of the invention. Refer first to Fig. 1 , which shows 
generally at 100 a surface of a diskette according to the invention, with 
representative tracks 102a-d and 104a-c. Each track has sectors, such as 
sector 1 06. On a prior art high-density 1 .44 MB (formatted capacity) diskette, 
each track contains 18 sectors (numbered 1-18). Tracks 102a-d each contain 
18 sectors, as in the prior art As a diskette spins, the gaps between sectors 
provide an opportunity for circuitry within the diskette drive to synchronize itself 
with the carrier and data signals recorded on the diskette. The size of the gap 
between the sectors of tracks 102a-d is represented by angle 108. The size of 
the gap, represented by angle 110, between the sectors of tracks 104a-c is 
smaller than the size of the gap 108 between the sectors of tracks 102a-d, 
leaving room for, preferably, two additional sectors per track without negatively 
impacting the ability of the circuitry to synchronize itself. The gap can be further 
reduced, leaving room for three additional sectors per track, but with current 
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technology such small gaps negatively impact the ability of the circuitry to 
synchronize itself. The additional sectors in track 104c are sector number "19" 
(112a in Fig. 1) and sector number '20° (112b in Fig. 1). Collectively, all the 
additional sectors on the diskette, such as sectors 112a-f, make up the hidden 
partition 114. (Fig. 1 assumes that only tracks 104a-c have additional sectors.) 

Not all tracks need contain additional sectors, thus making it difficult for a 
virus to detect the existence of the hidden partition 1 14 and the location of the 
tracks 104a-c that contain additional sectors. The manufacturer of diskettes can 
vary, from diskette to diskette, which tracks have additional sectors. Preferably, 
all tracks contain two additional sectors, providing a total of 160KB in the 
hidden partition of an 80-track diskette. Advantageously, these two additional 
sectors at the end of each track provide a rotational delay between the last 
conventional sector (e.g., sector number "18") of a track and the first sector of 
the next track. This delay allows the diskette drive enough time to reposition the 
head on the next track before the first sector of the next track passes under the 
head, thereby speeding up access to data on the diskette. Without this delay, 
the first sector of the next track would pass under the head before the diskette 
drive could reposition the head and, once the drive repositions the head, the 
drive would incur a time penalty of nearly one revolution before it could read the 
first sector in the next track. 

Table 1 lists the fields of the BIOS Parameter Block that are relevant to 

■ 

the invention. The BIOS Parameter Block located on diskette contains the value 
"18" in the "Number of sectors per track" field. The "Total number of sectors in 
volume (logical partition)" field contains the product of 18, the number of tracks 
per surface and the number of surfaces on the diskette. Thus, the BIOS 
Parameter Block located on the diskette hides the additional sectors 1 12a-f, 
therefore making the hidden partition 1 14 inaccessible to conventional 
programs. 

Fig. 2 shows generally at 200 a surface of a hard disk according to the 
invention, including representative tracks 202a-e and representative sectors, 
such as sector 204. If the hard disk does not have spare sectors and/or spare 
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tracks, or if it is not desirable to utilize these spares to form a hidden partition, 
the hard disk can be formatted so that the BIOS Parameter Block on the disk 
does not reflect the existence of selected sectors. For example, by reducing the 
"Number of sectors per track" field in the BIOS Parameter Block by two and 
reducing the Total number of sectors in volume (logical partition)* field by the 
product of two, the number of tracks per surface and the number of surfaces on 
the disk, sector number "681° and sector number "6&T in each track 202a-e, 
i.e. f sectors 206a-j, become part of the hidden partition 208, and therefore 
inaccessible to conventional programs. However, I prefer to create a hidden 
partition on the last sectors of a disk by simply reducing the "Total number of 
sectors in volume (logical partition)" field in the BIOS Parameter Block because 
this enables the creation of a hidden partition of arbitrary size. 

Fig. 3 is a flowchart illustrating a bootstrap sequence involving a disk 
provided by the invention. Upon application of power or a reset signal, the 
computer starts at step 300 performs a power-on self-test (TOST) at step 301 
and executes the special bootstrap program at step 302. 

At decision step 304, the special bootstrap program ascertains whether 
the computer was started from a diskette or from a hard disk. If the computer 
was started from a diskette, at step 306 the special startup program warns the 
user of the risk of propagating a virus inherent in starting the computer from a 
diskette. The risk exists because a diskette that was previously inserted in 
another computer may have been infected by a virus running on the other 
computer, even if the diskette was not used to start the other computer. 

At step 308 the special startup program performs an integrity test on itself 
to ascertain whether it has been damaged, e.g., by a virus attack, and 
announces the results of the self-test. 

At step 310 the special startup program causes the computer to execute 
the BTOS, which is stored in the hidden partition 1 14 or 208. At step 312 the 
BTOS checks for indication of the existence of viruses in the computer and 
announces the results of the check. For example, the BTOS examines the disk 
vector, as described earlier. At step 314 the BTOS then causes the computer to 
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load and execute virus removal and integrity check software, which is stored in 
the hidden partition 1 14 or 208. 

At decision step 31 5 f if all detected viruses have been removed, the 
software checks at decision step 316 whether the special bootstrap program in 
the boot block had been attacked. If so, at step 317 the software copies one of 
several backup copies of the special bootstrap program, which are stored in the 
hidden partition 114 or 208, to the boot block. 

In addition to being capable of detecting the existence of viruses in the 
computer, the BTOS is an operating system and can provide services to 
application programs ("compliant programs") written to make program calls to it. 
At step 318 the BTOS causes the computer to search the hidden partition for 
compliant programs, such as third-party anti-virus, disk-maintenance or other 
software, and to load and execute any such programs it finds. Alternatively, the 
BTOS can search for compliant programs on portions of the disk in addition to 
the hidden partition, but I prefer to store all such software on the hidden partition 
so it does not reduce the conventional storage capacity of the disk and to make 
it inaccessible to conventional viruses. 

At step 320 the BTOS restores the memory and registers of the computer 
to an "initialization** state, i.e., substantially the state that existed immediately 
after the POST. This state is well known, particularly to practitioners who write 
BIOS programs, and the step is necessary to enable the normal bootstrap 
program to execute correctly. For example, when a virus modifies the disk 
vector, the virus stores within itself the original contents of the vector so the 
vims can pass control to the disk handling routine after performing its mischief. 
When the anti-virus software detects such a modified vector, it examines the 
virus, retrieves the original contents of the vector and restores the vector's 
original contents. The location at which a virus stores the original contents can 
be ascertained by "disassembling" the virus. Disassembly is a well-known 
process of converting object code to source code. 

As a second example, the anti-virus software recovers memory utilized by 
a virus when it removes the virus. Viruses often mask their presence by 
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reducing the apparent amount of memory on the computer by an amount equal 
to their size (including buffers, etc.), e.g., by reducing a field in the BIOS Data 
Area that contains the number of kilobytes of memory that exist below memory 
address 640KB. Generally, an ultimate operating system examines the BIOS 
Data Area when it begins executing and configures itself accordingly. 
Application program anti-virus software removes a virus after the ultimate 
operating system begins executing, thus after the ultimate operating system has 
examined the BIOS Data Area, so despite having removed the virus the 
application program anti-virus software does not enable the ultimate operating 
•system to utilize the memory previously utilized by the vims. Anti-virus software 
provided by the invention executes before the ultimate operating system so, 
after removing a virus, it increases the field in the BIOS Data Area by the 
amount of memory recovered, thereby enabling the ultimate operating system to 
utilize the recovered memory. 

At step 322 the BTOS causes the computer to execute the normal 
bootstrap program and then finishes at step 324. The normal bootstrap program 
causes the computer to execute the ultimate operating system. 

Several viruses are known to attack certain sectors and certain clusters of 
a disk In case a virus attacks a disk having the anti-virus capabilities just 
described, these sectors and clusters are preferably allocated to a "dummy" file, 
thereby preventing their being allocated to any other files or used by directories, 
thus preventing these viruses from inflicting any damage on the files or 
directories. Some viruses attacked the two sectors of a disk that generally 
contain the last two sectors of the root directory. Reducing the size of the root 
directory by two sectors (see Table 1, "Number of entries in root directory" field 
of the BIOS Parameter Block) prevents this type of attack on the root directory. 
Preferably, the dummy file includes the first two sectors removed from the root 
directory, i.e., the first two clusters on the disk after the root directory, and the 
cluster comprising the last track on the last surface. (Assuming the cluster size 
is equal to one.) The dummy file, named "ViToler8.(c)*, has an entry in the 
directory and entries, corresponding to the above-listed sectors and clusters, in 
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the FAT. The directory entry marks the file as "hidden" in the MS-DOS sense. 
MS-DOS does not list hidden files when it provides a directory listing of files, so 
users will not generally know the file exists. While users can remove the hidden 
attribute from the file, marking the file hidden reduces the possibility that a user 
will delete the file and thereby make the virus-targeted clusters and sectors 
available for allocation to other files. 

While I prefer to use a hidden partition to store the anti-virus, disk- 
maintenance and other software and the BTOS, it is also possible to utilize a 
disk with no hidden partition and store any of these within the conventional 
storage capacity of the disk. In such a case, the special bootstrap program 
causes the computer to execute the anti-virus software or BTOS and then, if the 
disk is a startup disk, to execute the normal bootstrap program. When the anti- 
virus, disk-maintenance, or other software or the BTOS is stored within the 
conventional storage capacity of the disk, its files should be marked as hidden in 
the MS-DOS sense to reduce the possibility that a user will delete them or that a 
virus will attack them. 

It will therefore be seen that I have developed a virus-tolerant and virus-resistant 
disk and method of executing software prior to an ultimate operating system, 
which can be utilized with a variety of anti-virus, disk-maintenance, and other 
software to address a range of computer viruses. The terms and expressions 
employed herein are used as terms of description and not of limitation, and there 
is no intention, in the use of such terms and expressions, of excluding any 
equivalents of the features shown and described or portions thereof, but it is 
recognized that various modifications are possible within the scope of the 
invention claimed. 

PROG RAM -LI STING APPENDIX 

******************* 

* FILE TUNING. INC * 
******************* 

; TUNING. INC CREATED BY MAKEFILE 
DQSector EQU 01 6H 
DQCylinder EQU 002H 
RETRY EQU 05H 



♦ 
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* + *** + + *<**** + *** + 

* FILE BOOT. INC * 
****************+ 



; CORE. INC (tm) 

/Copyright (c) 1995 OverByte Corporation 



FARFUN MACRO 

n&_funptr 

n&_of fset 

DW 
DW 
ENDM 



n 

LABEL. DWORD 
LABEL WORD 
OFFSET n 
0 



; The SLACK macro calculates the space used up by the 
program 

; relative to the space it is permitted to use up. 
Ideally 

; this should be of size 0. 

■ K • __ _ _ _ _ 

t — 

TELLS I ZE MACRO ' COUNT, RELATIVE, MAX, MSG 

IFDEF MODULENAME 

%OUT % (MODULENAME) &COUNT(dec) RELATIVE than MAX (hex) 
MSG. 

ELSE 

%OUT CODE &C0UNT(dec) RELATIVE than MAX (hex) MSG 
ENDI F 

ENDM 

SLACK MACRO COUNT , MAX , MSG , MN 

LOCAL diff 

IF2 

IF ( &COUNT LT 0 ) OR ( & COUNT GT MAX ) 
diff EQU ( 65535 - & COUNT 4 1 ) 

TELLSIZE % (diff) , larger, MAX, MSG 

.ERR 
ELSE 

TELLSIZE COUNT, smaller,MAX, MSG 

ENDIF 
ENDIF 

ENDM 

* 

****************** 

* FILE: BOOT. ASM * 
****************** 



;BOOT (tm) 



WO 98/12636 



PCT/US97/02345 



17 



/Copyright (c) 1995 OverByte Corporation 



; MODULE NAME EQU "BOOT" 

INCLUDE BOOT. INC 
INCLUDE TUNING. INC 



STACK 
STACK 
BOOT 



begin: 



SEGMENT PARA stack 'STACK' 
ENDS 

SEGMENT BYTE PUBLIC 'CODE' 
ASSUME CS : BOOT 
ORG 0 

JMP SHORT simple 
NOP 



BPB 



entries 
diskette 



EAT 
track 



DB 
DW 
DB 
DW 
DB 
DW 

DW 

DB 
DW 

DW 



DW 
DD 

sectors 
EBPB DD 

DB 

DB 

DB 

DD 

DB 

DB 

DW 

; 64 BYTE mark 
simple: MOV BX,CS 
at 



"OverByte" 

200H 

1 

1 

2 

OEOH 

OB40H 

OFOH 
9 

12H 

2 
0 

0 
0 
0 
0 
0 

"OverBoot tm 
"FAT12 " 
0 



If 



ADD 

free 

; to be used 

MOV 

CS:7C0Q 

MOV 

be put 



BX, 780H 

SS,BX 
SP, 400H 



OEM 

Bytes per sector 
Sectors per cluster 
Reserved sectors 
Number of FATs 
Number of ROOT DIR 

Number of sectors on 



; Media Descriptor Byte 

; Number of sectors per 

; Number of sectors per 

; Number of heads 

; Number of hidden 



; Volume label 

; File system type 

; Leave 2 bytes unused 

; BOOT is always loaded 

; CS:7C00 

; Where at least IK is 



at CS:7800 through 
Because the stack will 
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ADD 

CS:7C00 

PUSH 
proceed at 

MOV 
PUSH 
RETF 
PUSH 



this 



POP 

ASSUME 
MOV 



SUB 
MOV 



while 





CALL 




CALL 




MOV 




JC 


Invalid 






MOV 


badness 


: CALL 




XOR 




INT 




MOV 




OR 


value 






JZ 




MOV 




INT 




INT 


reboot : 


MOV 




MOV 




DB 


worry 


DB 




DB 



message DB 
diskok DB 
DB 
DB 
DB 
DB 
DB 
DW 
DW 
DW 
DW 



nomem 
nodsk 
noapp 
myNO 
myCX 
myDX 
my IP 
myES 



BX,40H 
BX 



; directly underneath 
; and execution will 



BX, OFFSET sevenc; (CS+7C0):0 
BX 



CS 



DS 

DS : BOOT 
myCS , CS 



myCS, 7C0H 

SI, OFFSET worry 



show 
fast 

SI, OFFSET message 
badness 

SI, OFFSET diskok 
show 
AX, AX 
16H 

AX,CS:myCS 
AX, AX 



; Operational DATA is in 
; segment 

Adjust segment so DATA 
at OFFSET 0 
Message asking wait 
DisQuick loads 



Load DisQuick 

If load failed, show 

Otherwise show OK 

Wait for a key 
Check for segment 



reboot 
AX,4C01H 



; If run from DOS, don*t 
/ reboot, but EXIT 



21H 
2 OH 
ES,AX 

WORD PTR ES:[472H],0 
OEAH, 0, 0, OFFH, OFFH 

0dh,0ah, "DisQuick (tm) diskette load" 

0dh,0ah, "Please wait. ,T ,0 

Odh, Oah, "Invalid " 

"DisQuick (tm) diskette" 

Odh, Oah, "Press any key",0 

Odh, Oah, "RAM too small", 0 

Odh, Oah, "DISK failed" , 0 

Odh, Oah, "Bad DisQuick", 0 
OFFH 

(DQSector + ( DQCylinder SHL 8 ) ) 

0 

0 

0 
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myCS 


DW 


0 


show 


PROC 


NEAR 




CLD 




more: 


LODSB 






OR 


AL, AL 




JZ 


done 




MOV 


AH, OEH ; 


messages 






MOV 


BL, 0 




INT 


10H 




JMP SHORT more 


done: 


RET 




show 


ENDP 




fast 








PUSH 


AX 




PUSH 


BX 










PUSH 


DX 




PUSH 


BP 




PUSH 


SI 




PUSH 


DI 




PUSH 


ES 




MOV 


BX, 40H 




MOV 


ES,BX 




MOV 


BX, 13H 




MOV 


BX,ES: [BX] 


this PC 








CMP 


BX, 1EAH 


two 








JAE 


memok 




MOV 


SI, OFFSET 


not 








CALL 


show 




JMP 


ignore 


memok : 


MOV 


AX,CS 




ADD 


AX, 0003FH 




AND 


AX, OFFCOH 




ADD 


AX, 4 OH 




MOV 


ES,AX 



/ Use TTY output in BIOS to show 



next IK 



; Ask BIOS how much RAM 
; has 

; 512K minus a virus or 



; enough RAM 



ASSUME ES : NOTHING 
MOV myES,ES 



/ align load area at 
; boundary 



next: 
again: 



MOV 
PUSH 



CX, RETRY 
CX 
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MOV 



current 



from 



MOV 
XOR 
MOV 



INT 



DX,myDX 



CX,myCX 

BX,BX 

AX,202H 



13H 



; Using location of 
; chunk to load 



; Keep loading IK chunks 
; hidden partition 



is 



POP 

JNC 

PUSH 

XOR 

XOR 

INT 

POP 

LOOP 



CX 

good 
CX 

AX, AX 
DX,DX 
13H 
CX 

again 



MOV 
CALL 
JMP SHORT ignore 



SI, OFFSET nodsk 
show 



; Until all of DisQuick 
; loaded 



good: 



in APP 
use: 

count : 
next 



head: 



MOV 
CMP 

JNE 
PUSH 
XOR 
MOV 

POP 
MOV 
MOV 



MOV 
INC 
AND 
JNZ 
INC 

MOV 
MOV 

MOV 
ADD 
MOV 
ASSUME 



DL,myNO 
DL, OFFH 
count 
BX 

BX,BX 

DX,ES: [BX+2] 
BX 

my NO, DL 
DX,myDX 



CX/myCX 
DH 

DH, 1 
head 
CH 

myCX,CX 
myDX,DX 

AX,ES 

AX,40H 

ES,AX 

ES: NOTHING 



; This will be Kilobytes 



; Adjust to location of 
; chunk to load 



DEC rayNO 
MOV AL, myNO 
OR AL, AL 



WO 98/12636 



PCT/US97/02345 



21 

JNZ next ; Go fetch the next chunk 



Launch 



launch: 



CMP 
JE 

MOV 

CALL 

JE 

PUSH 

CALL 

ADD 

PUSH 

POP 

ASSUME 



BX, DWORD PTR my IP 

WORD PTR ES: fBX] , 002EBH 

launch 

SI, OFFSET noapp 

show 

ignore 

myCS 

DWORD PTR mylP ; Execute DisQuick 

SP,2 

CS 

DS 

DS : BOOT 



ignore: 
success 



CLC 

JMP SHORT success 
STC 

ES 
DI 
SI 
BP 
DX 
CX 
BX 
AX 



fast 
codeend 

bootend 



:POP 
POP 
POP 
POP 
POP 
POP 
POP 
POP 
RET 
ENDP 



ORG 
DW 



1FEH 
0AA55H 



IF 0 

BOOTSIZE EQU ( { OFFSET CS:bootend ) - ( OFFSET 
CS: codeend ) ) 

SLACK % (BOOTSIZE) , 0200H, "from end of BOOT code to AA55" 
ENDIF 

BOOT ENDS 

END begin 
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CLAIMS 

1 1 . A virus-resistant storage medium for use with a computer, the starage 

2 medium being selectably actuable by a user and comprising: 

3 (a) anti-virus software stored on the storage medium and 

< configured to cause the computer to detect and remove from a 

5 component thereof at least one virus; and 

e (b) means for causing the computer to execute the anti-vims 

7 software upon startup of the computer but before the computer 

8 executes an ultimate operating system. 

1 2. The virus-resistant storage medium of claim 1 wherein the medium is 

2 a flash ROM. 

1 3. The virus-resistant storage medium of claim 1 wherein the medium is 

2 a bubble RAM. 

t 4. The virus-resistant storage medium of claim 1 wherein the medium is 

2 an optical storage device. 

1 5. The virus-resistant storage medium of claim 1 wherein the medium is 

2 a tape drive. 

1 6. The virus-resistant storage medium of claim 1 wherein the medium is 

2 a disk. 

1 7. The virus-resistant storage medium of claim 1 , wherein the execution- 

2 causing means comprises bootstrap software stored on the medium, 

3 execution of the bootstrap software causing the computer to execute 

4 the anti-virus software prior to post-bootstrap operations, the 

s bootstrap software being executed upon startup of the computer. 
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1 8. 


The virus-resistant storage medium of claim 1, wherein: 


2 


(a) 


the computer comprises memorv and reaisters* 


3 


(b) 


the computer has an initialization state in which the memory 


4 




and registers of the computer accurately reflect the amount of 


5 




memory on the computer and no interrupt vector in the 


6 




computer contains an address of a routine within a virus; and 


7 


(c) 


the anti-virus software is configured to cause the computer, 


A 




after detecting and removing a virus, to enter the initialization 


9 




state. 


1 9. 


A virus-resistant storage medium for use with a computer, the storage 


2 


medium having a conventional storage capacity and comprising: 


3 


(a) 


a hidden partition comprising storage space inaccessible to 


4 




conventional programs and not reducing the conventional 


5 




storage capacity; 


6 


(b) 


means for describing the conventional storage capacity but not 


7 




describing the hidden partition, thereby making the hidden 


6 




partition inaccessible to conventional programs; 


9 


(c) 


anti-virus software stored in the hidden partition and 


10 




configured to cause the computer to detect and remove from a 


11 




component thereof at least one virus; and 


12 


(d) 


means for causing the computer to execute the anti-virus 


13 




software. 



1 1 0. The virus-resistant storage medium of claim 9, wherein the execution- 

2 causing means comprises bootstrap software stored on the medium, 

3 execution of the bootstrap software upon startup of the computer 

4 causing the computer to execute the anti-virus software prior to post- 
s bootstrap operations. 
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1 11. The virus-resistant storage medium of claim 9, wherein the anti-virus 

2 software comprises at least one anti-virus program and the execution- 

3 causing means comprises: 

» 

(d1 ) bootstrap software stored on the storage medium; and 



5 (d2) a bootstrap-time operating system stored in the hidden 

e partition for causing the computer, upon startup, to 

7 automatically execute the bootstrap software, said bootstrap- 

8 software execution causing the computer to execute the 

9 bootstrap-time operating system, said operating-system 

10 execution causing the computer to execute the at least one 
n anti-virus program prior to post-bootstrap operations. 

1 1 2. The virus-resistant storage medium of claim 1 1 further comprising: 

2 (e) maintenance software stored in the hidden partition for causing 

3 the computer to detect and repair damage to information 

4 stored on a component thereof; and wherein 

5 (f) the bootstrap-time operating system causes the computer to 

e execute the maintenance software prior to post-bootstrap 

7 operations. 



1 13. The virus-resistant medium defined in claim 9, wherein the execution- 

2 causing means comprises an application program stored on the 

3 medium. 

1 14. The virus-resistant medium defined in claim 9, wherein the medium 

2 has a plurality of tracks on each of at least one surface and the 

3 hidden partition comprises storage space on fewer than all the tracks. 
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The virus-resistant medium defined in claim 9, wherein the disk has a 
plurality of tracks on each of at least one surface and the hidden 
partition comprises storage space on all the tracks. 

The virus-resistant medium defined in claim 9, wherein: 

(a) the computer comprises memory and registers; 

(b) the computer has an initialization state in which the memory 
and registers of the computer accurately reflect the amount of 
memory on the computer and no interrupt vector in the 
computer contains an address of a routine within a virus; and 

(c) the anti-virus software is configured to cause the computer, 
after detecting and removing a virus, to enter the initialization 
state. 

A storage medium for use with a computer, the storage medium being 
selectably actuable by a user and comprising: 

(a) maintenance software for causing the computer to detect and 
repair damage to information stored on a component thereof; 
and 

(b) means for causing the computer to execute the software upon 
startup of the computer but before the computer executes an 
ultimate operating system. 

A storage medium for use with a computer, the storage medium 
having a conventional storage capacity and comprising: 

(a) a hidden partition comprising storage space inaccessible to 
conventional programs and not reducing the conventional 
storage capacity; 

(b) means for describing the conventional storage capacity but not 
describing the hidden partition, thereby making the hidden 
partition inaccessible to conventional programs; 
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9 (c) maintenance software stored in the hidden partition for causing 

10 the computer to detect and repair damage to information 

11 stored on a component thereof; and 

12 (d) means for causing the computer to execute the software. 

1 19. A method of operating a computer to avoid virus infection, the method 

2 comprising: 

3 (a) providing a storage medium selectably actuable by a user; 

4 (b) storing, on the storage medium, anti-virus software configured 
s to cause the computer to detect and remove from a component 

6 thereof at least one virus; and 

7 (c) for causing the computer to execute the anti-virus software 

e upon startup of the computer but before the computer executes 

9 an ultimate operating system. 



i 20. The method of claim 21 wherein the medium is a flash ROM. 

i 21 . The method of claim 21 wherein the medium is a bubble RAM. 

1 22. The method of claim 21 wherein the medium is an optical storage 

2 device. 

1 23. The method of claim 21 wherein the medium is a tape drive, 

i 24. The method of claim 21 wherein the medium is a network disk. 

1 25. A method of causing a computer to execute at least one program 



2 upon startup of the computer but before the computer executes an 

3 ultimate operating system, the method comprising the steps: 

4 (a) providing a startup disk comprising a hidden partition 

5 comprising storage space inaccessible to conventional 

6 programs and not reducing conventional storage capacity of 

7 the disk; 

a (b) providing a bootstrap-time operating system stored in the 
9 hidden partition; 
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(c) causing the computer to execute the bootstrap-time operating 
system upon startup of the computer but before the computer 
executes the ultimate operating system; 

(d) causing the computer to execute the at least one program 
under the control of the bootstrap-time operating system; and 

(e) upon completion of the at least one program, executing the 
ultimate operating system. 

The method defined in claim 25, wherein the at least one program is 

• » 

anti-virus software stored in the hidden partition and configured to 
cause the computer to detect and remove from a component thereof 
at least one virus. 

The method defined in claim 26, wherein: 

(a) the computer comprises memory and registers; 

(b) the computer has an initialization state in which the memory 
and registers of the computer accurately reflect the amount of 
memory on the computer and no interrupt vector in the 
computer contains an address of a routine within a virus; and 

(c) the anti-virus software is configured to cause the computer, 
after detecting and removing a virus, enter the initialization 
state. 

The method defined in claim 27, wherein the at least one program is 
disk-maintenance software stored in the hidden partition and 
configured to cause the computer to detect and repair damage to 
information stored on a component thereof. 

A virus-tolerant disk having sectors and a file system allocation table 
for allocating the sectors to files, the virus-tolerant disk comprising: 

(a) a predetermined subset of the sectors, comprising sectors 
attacked by at least one virus; and 

(b) entries, corresponding to the predetermined sectors, in the file 
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system allocation table for making the predetermined sectors 
unavailable for allocation to any file, the entries being made 
prior to an attack by a virus. 

A virus-resistant storage medium for use with a computer, the storage 
medium having a conventional storage capacity and comprising: 

(a) a hidden partition comprising storage space inaccessible to 
conventional programs and not reducing the conventional 
storage capacity; 

(b) means for describing the conventional storage capacity but not 
describing the hidden partition, thereby making the hidden 
partition inaccessible to conventional programs; 

(c) anti-virus software stored in the hidden partition and 
configured to cause the computer to detect and remove from a 
component thereof at least one virus; and 

(d) means for causing the computer to execute the anti-virus 
software. 

The virus-resistant storage medium of claim 30, wherein the 
execution-causing means comprises bootstrap software stored on the 
disk, execution of the bootstrap software upon startup of the 
computer causing the computer to execute the anti-virus software 
prior to post-bootstrap operations. 

The virus-resistant storage medium of claim 30, wherein the anti-virus 
software comprises at least one anti-virus program and the execution- 
causing means comprises: 

(d1 ) bootstrap software stored on the storage medium; and 
(d2) a bootstrap-time operating system stored in the hidden 
partition for causing the computer, upon startup, to 
automatically execute the bootstrap software, said bootstrap- 
software execution causing the computer to execute the 
bootstrap-time operating system, said operating-system 
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execution causing the computer to execute the at least one 
anti-virus program prior to post-bootstrap operations. 

The virus-resistant storage medium of claim 32 further comprising: 

(e) maintenance software stored in the hidden partition for 
causing the computer to detect and repair damage to 
information stored on a component thereof; and wherein 

(f) the bootstrap-time operating system causes the computer to 
execute the maintenance software prior to post-bootstrap 
operations. 
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